Home / server / Questions / 1049591
Accepted
user3271408
Asked: 2021-01-13 11:16:18 +0800 CST

rsyslog conf file syntax multiple filters

  • 772

I'm setting up rsyslog on a Red Hat 8 system. I have the the first part working, that being filtering based on source IP, putting logs in a specific file, like this:

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log

& ~

What I'd like to do, that I cannot figure out the correct syntax for, is if sourcing from a host IP and the authpriv facility, put it in a file. I know I need that statement before the one I listed above, but I can't get it to work. I also tried the local7 (boot logs) and that didn't work either. The next two examples are syntaxes I tried and did not work:

Example 1:

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'local7' then /var/log/test_boot.log

& stop

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'local10' then /var/log/test_secure.log

& stop

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log

& stop

Example 2:

if $fromhost-ip startswith '10.1.2.45' and $syslogfacility-text == 'authpriv.*' then /var/log/test_secure.log

& stop

if $fromhost-ip startswith '10.1.2.45' then /var/log/test_all.log

& stop

---End of Examples---

Any help would be greatly appreciated.

redhat rsyslog

1 Answers

  1. Best Answer

    Solution found here: rsyslog configuration syntax

    if $fromhost-ip startswith '10.1.2.45' then { 

    authpriv.*  -/var/log/test_secure.log
                -/var/log/test_all.log
    & stop
}
    • 0